b"                    .\n\n\n\n\nU.S CONSUMER PRODUCT SAFTEY COMMISION\n\n\n\n\n   OFFICE OF THE INSPECTOR GENERAL\n\n\n\n\n    CONSUMER PRODCUT SAFETY RISK\n          MANAGEMENT SYSTEM\n     INFORMATION SECURITY REVIEW\n               REPORT\n        Fieldwork: December 2010 to February 2011\n\n\n\n\n               Issued: June 4, 2012\n\x0cMemorandum\n\n                                                                                Date:            June 5, 2012\n\nTO              Inez Tenenbaum\n                Chairman\n\nFROM            Christopher W. Dente!\n                Inspector General\n\nSUBJECT         Security Review of the CPSC's Consumer Product Safety Risk Management\n                System\n\nThe Office of Inspector General has completed its security review of the CPSC's Consumer\nProduct Safety Risk Management System. A copy of the resulting report is attached.\n\nManagement (EXIT and OEX) has been briefed regarding the findings and recommendations of\nthis audit and given an opportunity to respond to them. Management's response may be found as\nan attachment to the audit report. Management generally concurred with the findings of the audit\nand either agreed to implement corrective actions regarding those findings or indicated that\ncorrective action had already been taken.\n\nIf you have any questions about this report or wish to discuss it, please feel free to contact me at\n301-504-7644 or cdentel@cpsc.gov.\n\n\n\n                                                             Christop e\n                                                             Inspector General\n\n\n\n\n                     CPSC Hotline: 1-800-638-CPSC(2772)   :::<   CPSC's Web Site http://www.cpsc.gov\n\x0c                       TABLE OF CONTENTS\nEXECUTIVE SUMMARY ................................................................................................ 3\n   BACKGROUND ............................................................................................................ 3\n   OBJECTIVE ................................................................................................................... 3\n   SUMMARY OF FINDINGS .......................................................................................... 4\n   RECOMMENDATIONS ................................................................................................ 4\n   AUDITEE COMMENTS................................................................................................ 6\nINTRODUCTION .............................................................................................................. 7\nOBJECTIVE, SCOPE & METHODOLOGY..................................................................... 8\n   OBJECTIVE ................................................................................................................... 8\n   SCOPE ............................................................................................................................ 8\n   METHODOLOGY ......................................................................................................... 9\nRESULTS OF EVALUATION ........................................................................................ 11\n   SUMMARY .................................................................................................................. 11\n   FINDINGS AND RECOMMEDATIONS ................................................................... 11\n      FINDING 1: The draft Risk Management Framework strategy has yet to be\n      formalized or implemented. ...................................................................................... 11\n      FINDING 2: The CPSC has not yet developed an Enterprise Architecture with\n      Information Security considerations. ........................................................................ 12\n      FINDING 3: Insufficient documentation of the implementation of NIST SP 800-53\n      security controls in the CPSRMS SSP. ..................................................................... 13\n      FINDING 4: The CPSRMS SSP does not reflect the most current information and\n      often contradicts other Security control documents.................................................. 15\n      FINDING 5: The CPSRMS POAM does not include all elements required by OMB\n      Memorandum 04-25.................................................................................................. 17\n      FINDING 6: The CPSRMS Security Categorization Document does not adequately\n      justify impact assignments for 10 of the identified information types. .................... 18\n      FINDING 7: Insufficient documentation of the analysis disqualifying the non-\n      selected information types in the CPSRMS Security Categorization Document. .... 21\n      FINDING 8: The CPSRMS SSP does not outline specific Public Access controls in\n      place to mitigate the risks associated with allowing external user\xe2\x80\x99s access to\n      CPSRMS. .................................................................................................................. 21\nAPPENDIX I: MANGEMENT RESPONSE .................................................................. 23\n\n\n\n\n                                                                                                                                     2\n\x0c                             EXECUTIVE SUMMARY\n\nBACKGROUND\n\nThe Consumer Product Safety Improvement Act of 2008 (CPSIA), P.L. 110-314, Section\n212 requires the Consumer Product Safety Commission (CPSC) to implement a publicly\naccessible, searchable database of consumer product incident reports. To meet this\nrequirement the CPSC developed the Consumer Product Safety Risk Management\nSystem (CPSRMS). The CPSRMS houses personal, proprietary, and confidential data.\nAs defined by NIST SP 800-18, Guide for Developing Security Plans for Federal\nInformation Systems, CPSRMS is categorized as a major application. Therefore,\nCPSRMS is required to implement specific security controls and complete a Security\nCertification and Accreditation (C&A) separate from the CPSC General Support System\n(GSS LAN). NIST SP 800-37, Revision 1 Guide for Applying the Risk Management\nFramework to Federal Information Systems: A Security Life Cycle Approach, dated\nFebruary 2010 provides guidance and best practices for the C&A process that agencies\nare required to implement as a mandate of the Federal Information Security Management\nAct (FISMA). Consequently, CPSC management has reviewed and validated CPSRMS\xe2\x80\x99s\nsystem security through the performance of a C&A assessment and formally authorized\nCPSRMS to operate on January 16, 2011.\n\nTo satisfy the NIST SP 800-37 requirements, the CPSC contracted with Communications\nResources Inc. (CRI), an outside IT consultancy to perform the initial categorization,\nselection, and implementation of the CPSRMS security controls, and to develop the\nCPSRMS System Security Plan (SSP). Other deliverables provided by CRI included:\n    \xe2\x80\xa2 CPSRMS Risk Assessment\n    \xe2\x80\xa2 CPSRMS Security Categorization Document\n    \xe2\x80\xa2 CPSRMS Security Control Implementation Plan (SCIP)\n    \xe2\x80\xa2 CPSC Business Impact Analysis (BIA)\n\nCPSC also contracted with SecureIT, whom is responsible for developing the GSS LAN\nSSP and GSS LAN Security Assessment Report (SAR), to perform an independent\nsecurity assessment of the CPSRMS implementation and develop the SAR for CPSRMS.\nSecureIT would also be responsible for maintaining the CPSRMS SSP and be responsible\nfor developing the Continuous Monitoring Plan and the Asset Inventory Report.\n\nOBJECTIVE\n\nAs required by Section 205(a)(1) of the Consumer Product Safety Improvement Act\n(CPSIA) of 2008, the Office of Inspector General (OIG) is required to conduct reviews\nand audits to assess the CPSC\xe2\x80\x99s information technology architecture and systems and the\ndevelopment of the public database. In order to determine if the availability,\nconfidentiality, and integrity of data housed in CPSRMS is adequate, agency officials\nmust perform a C&A on the system. As such, the objective of this evaluation was to\n\n\n                                                                                      3\n\x0creview the application of the Risk Management Framework, as defined in NIST 800-37,\nto the CPSC\xe2\x80\x99s implementation of the CPSRMS.\n\nSUMMARY OF FINDINGS\n\nAt the time fieldwork was performed (December 2010 through February 2011), there\nwere several inconsistencies and weaknesses in the C&A assessment of the CPSRMS.\nThese weaknesses stemmed primarily from a lack of mature organizational processes and\nprocedural documents required to ensure the adequate governance of the C&A process.\nIn addition, management\xe2\x80\x99s lack of internal resources played a significant part in the\nweaknesses identified in the C&A assessment. Our findings include the following:\n\n1. The draft Risk Management Framework strategy has yet to be formalized or\n   implemented.\n\n2. The CPSC has not yet developed an Enterprise Architecture with Information\n   Security considerations.\n\n3. There is insufficient documentation of the implementation of NIST SP 800-53,\n   Revision 3 Recommended Security Controls for Federal Information Systems and\n   Organizations, dated August 2009, security controls in the CPSRMS SSP.\n\n4. The CPSRMS SSP does not reflect the most current information and often contradicts\n   other Security control documents.\n\n5. The CPSRMS Plan of Action and Milestones (POAM) does not include all elements,\n   required by Office of Management and Budget (OMB) Memoranda 04-25, FY 2004\n   Reporting Instructions for the Federal Information Security Management Act, dated\n   August 23, 2004.\n\n6. The CPSRMS Security Categorization Document does not adequately justify impact\n   assignments for 10 of the identified information types.\n\n7. There is insufficient documentation of the analysis disqualifying the non-selected\n   information types in the CPSRMS Security Categorization Document.\n\n8. The CPSRMS SSP does not outline specific Public Access controls in place to\n   mitigate the risks associated with allowing external user\xe2\x80\x99s access to CPSRMS.\n\nRECOMMENDATIONS\n\nOnce CPSC addresses the aforementioned issues, many of the subsequent C&A tasks will\nbecome significantly less cumbersome to administer, and the process will become more\ncontrolled and transparent. To assist the CPSC in addressing the weaknesses identified\nabove, we are providing the following recommendations:\n\n\n\n                                                                                        4\n\x0c1. Identify the participants of the CPSC Risk Executive Council and define specific\n   tasks/milestones for implementing the proposed Risk Management Framework.\n   CPSC Senior Management should then define a methodology for developing and\n   establishing a formal organizational tolerance for risk in the Risk Management\n   Framework.\n\n2. Develop an Enterprise Architecture that includes a comprehensive IT Security\n   Architecture using the CIO Counsel\xe2\x80\x99s guidance (FEA-Security-Privacy-Profile-v3-9-\n   30-2010) and incorporate this into the Security Control Documents. Further, all the\n   security controls, including the NIST SP 800-53 required controls, should be mapped\n   to the Enterprise Architecture/Information Security Architecture to provide a\n   comprehensive view of the security control relationships.\n\n3. Fully document the implementation of the security controls, including the\n   implementation of the sub-controls, in the CPSRMS SSP with sufficient detail to\n   facilitate the assessment of individual controls.\n\n4. Update the CPSRMS SSP to be the single authoritative system security document.\n   The update of the document should include the correct go-live date and the latest\n   understanding of the current state of CPSRMS Security. As such, the CPSC should:\n      a. Revise and update the CPSRMS SSP and the other security control documents\n          to identify and reconcile all inconsistencies between said documents.\n      b. Management should perform an assessment over the independent contractor\n          control assessments to determine which position the CPSC will support.\n          Upon completion of the assessment, the CPSRMS SSP should document\n          CPSC's current position in addition to the justification for any positions held\n          in opposition to SecureIT.\n      c. Update the CPSRMS SSP to include the results of other technical security\n          reviews.\n      d. Reassess the common, hybrid, and system specific control significations to\n          provide accurate descriptions of controls in the CPSRMS SSP.\n      e. Re-scan the network to define all devices with the CPSRMS System\n          Boundary. Document the results of this scan in the SSP.\n\n5. Update the POAM to include the missing information, as required by OMB M-4-25.\n\n6. Perform an assessment to ensure the adequate categorization of Information Types.\n   The logic for categorizing the Information Types as \xe2\x80\x9cHigh\xe2\x80\x9d, \xe2\x80\x9cModerate\xe2\x80\x9d, or \xe2\x80\x9cLow\xe2\x80\x9d\n   should be consistent with the guidance provided in NIST SP 800-60, Guide for\n   Mapping Types of Information and Information Systems to Security Categories: (2\n   Volumes) - Volume 1: Guide Volume 2: Appendices, dated August 2008.\n\n7. An analysis should be performed to ensure that all of the Information Types outlined\n   in the NIST 800-60 framework were appropriately included in or excluded from the\n   CPSRMS Security Categorization document.\n\n\n\n                                                                                          5\n\x0c8. Define the specific Public Access controls in place/planned, or reference the\n   document defining these controls within the CPSRMS SSP.\n\nAUDITEE COMMENTS\n\nThe auditee responses have been included as an appendix to this report. The auditees\nconcurred with the majority of our findings and recommendations and indicated that\nwork has been completed or is already in progress to address many of the deficiencies\nfound.\n\n\n\n\n                                                                                        6\n\x0c                                   INTRODUCTION\n\nThe Consumer Product Safety Commission Public Database\n\nThe Consumer Product Safety Improvement Act of 2008 (CPSIA), P.L. 110-314, Section\n212 requires the CPSC to implement a publicly accessible, searchable database of\nconsumer product incident reports. Pursuant to section 6A(a)(3) of the CPSIA, the\ndatabase must be established within the 18-month period following the CPSC\xe2\x80\x99s\nsubmission of a plan to Congress regarding the Database implementation under section\n6A(a)(2). The CPSC submitted this plan to Congress on September 10, 2009. Therefore,\nthe Database launch date was set for March 11, 2011.\n\nThe Consumer Product Safety Risk Management System\n\nThe CPSC contracted with InfoReliance (IR) on August 18, 2008, to begin the\ndevelopment of a solution to meet this legislative requirement for a public database. IR\ncustomized one of its Commercial-Off-The-Shelf (COTS) products to meet the\nrequirements defined by the CPSIA/CPSC management and developed\nSaferProducts.gov. The purpose of this tool is to provide a single, central location where\nconsumers can report incidents and search for prior incidents/recalls. Additionally, this\ntool will provide the manufacturers of the products in question with an opportunity to\ncomment on actions taken to remediate the product safety concerns, as well as rebut,\ncorrect, and add additional precision to such reports. Moreover, this tool is an integral\npart of the overall IT Modernization effort, termed CPSRMS. As such, it is the\nexpectation of the CPSC that the implementation of CPSRMS is to occur over the course\nof the next 2 to 3 years at the CPSC.\n\nThe CPSRMS architecture includes a core development framework, in addition to, three\nkey applications using the framework: Consumer/Public Portal, Industry Partner Portal,\nand Incident Management Control Center (IMCC). By customizing an existing COTS\nproduct, the CPSC does not have to develop and support an in-house solution and has the\noption to draw from an outside pool of experts for future support needs. However, the\nchallenge with this type of implementation is integrating the COTS tool with the legacy\nsolutions already in place at the CPSC. Therefore, in order to ensure the validity of the\nIR architectural documentation and identify security vulnerabilities associated with the\noverall CPSRMS architecture, which includes the integration between the IR solution and\nthe legacy systems already in place, the CPSC contracted with Aspect Security on June\n29, 2010, to perform an independent architectural security review. The scope of this\nreview included the custom application components and related controls developed by\nthe CPSC. Analysis of these custom application components and controls focused on the\nareas of Identity Management and Authentication, Session Management, Access Control,\nInput Validation and Output Encoding, and Sensitive Data Protection.\n\n\n\n\n                                                                                         7\n\x0c                   OBJECTIVE, SCOPE & METHODOLOGY\n\nOBJECTIVE\n\nThe objective of this review was to assess the application of the Risk Management\nFramework, as defined in NIST 800-37, to the CPSRMS implementation. This was to\nensure the agency performed all of the tasks required to ensure the availability,\nconfidentiality and integrity of the data housed in CPSRMS.\n\nSCOPE\n\nThis evaluation consisted of review of CPSC\xe2\x80\x99s C&A assessment of CPSRMS against the\nRisk Management Framework, as outlined in NIST SP 800-37, Revision 1 Guide for\nApplying the Risk Management Framework to Federal Information Systems: A Security\nLife Cycle Approach, dated February 2010 and the requirements of Section 212 of the\nCPSIA. As such, our review included the following processes within the boundaries of\nthe CPSRMS solution:\n\n\n\n\n                                                                                    8\n\x0cMETHODOLOGY\n\nThis review is not an audit, thus it was not conducted in accordance with generally\naccepted government auditing standards. As such, our review was conducted in\naccordance with Quality Standards for Inspections and Review. The performance of\nfieldwork occurred from December 2010 to February 2011 at the CPSC\xe2\x80\x99s headquarters\nlocated in Bethesda, Maryland. In order to accomplish our objective, we reviewed the\nrequirements of the CPSRMS implementation through obtaining and reviewing the key\nreports developed by CPSC management and their independent contractors,\ndocumenting the CPSRMS implementation and related security architecture.\nThroughout our review of supporting documents obtained, we held key discussions\nwith the Office of Information and Technology\xe2\x80\x99s (EXIT) Chief Information Officer,\nDivision of Policy and Planning (ITPP) Director, Information Systems Security Officer,\nand relevant members of their staffs.\n The principle criteria used for this review included:\n\n   \xe2\x80\xa2   The Consumer Product Safety Improvement Act of 2008, P.L. 110-314, Section\n       212\n\n   \xe2\x80\xa2   Federal Information Security Management Act of 2003, Title III of the E-\n       Government Act of 2002, P.L. 107-347\n\n   \xe2\x80\xa2   OMB Circular A-130, Transmittal Memorandum #4, Management of Federal\n       Information Resources, dated November 28, 2000\n\n   \xe2\x80\xa2   OMB Memoranda 04-25, FY 2004 Reporting Instructions for the Federal\n       Information Security Management Act, dated August 23, 2004\n\n   \xe2\x80\xa2   NIST SP 800-37, Revision 1 Guide for Applying the Risk Management\n       Framework to Federal Information Systems: A Security Life Cycle Approach,\n       dated February 2010\n\n   \xe2\x80\xa2   NIST SP 800-39 (Draft), Managing Information Security Risk: Organization,\n       Mission, and Information System View, dated March 2011\n\n   \xe2\x80\xa2   NIST SP 800-53, Revision 3 Recommended Security Controls for Federal\n       Information Systems and Organizations, dated August 2009\n\n   \xe2\x80\xa2   NIST SP 800-53A, Revision 1 Guide for Assessing the Security Controls in\n       Federal Information Systems and Organizations, Building Effective Security\n       Assessment Plans, dated June 2010\n\n   \xe2\x80\xa2   NIST SP 800-60, Guide for Mapping Types of Information and Information\n       Systems to Security Categories: (2 Volumes) - Volume 1: Guide Volume 2:\n\n\n                                                                                         9\n\x0c    Appendices, dated August 2008\n\n\xe2\x80\xa2   NIST SP 800-70, National Checklist Program for IT Products \xe2\x80\x93 Guidelines for\n    Checklist Users and Developers, February 2011\n\n\xe2\x80\xa2   FIPS 199, Standards for Security Categorization of Federal Information and\n    Information Systems, dated February 2004\n\n\xe2\x80\xa2   FIPS 200, Minimum Security Requirements for Federal Information and\n    Information Systems, dated March 2006\n\n\n\n\n                                                                                  10\n\x0c                            RESULTS OF EVALUATION\n\nSUMMARY\n\nOverall, we found several inconsistencies and weaknesses in the way the CPSC executed\nthe C&A process of CPSRMS. These weaknesses stemmed primarily from a lack of\norganizational resources at the time of CPSRMS implementation; thus, resulting in the\nheavy reliance on independent contractors for the development and implementation of\nCPSRMS. Further, the lack of mature organizational processes and procedural\ndocuments required to ensure the adequate governance of the C&A process also\ncontributed to the inconsistencies and weaknesses found.\n\n\nFINDINGS AND RECOMMEDATIONS\n\nFINDING 1: The draft Risk Management Framework strategy has yet to be\nformalized or implemented.\n\nA Risk Management Framework has been drafted, but not been implemented. As such,\nthe CSPC has not formally implemented a Risk Executive (function). The CPSC\nSecurity team documented the CPSC Risk Management Framework based on the NIST\nSP 800-39 (Draft), Managing Information Security Risk: Organization, Mission, and\nInformation System View, dated April 2008. NIST SP 800-39 outlined the proposed\napproach to addressing risk from an organizational perspective and it addresses most of\nthe NIST SP 800-37 requirements. The implementation of Risk Management Framework\nand the establishment Risk Executive (function) did not occur due to a lack of resources\navailable to perform the required duties and a lack of management support for the\ncreation of these organizational roles. Consequently, the tasks required in NIST SP 800-\n37 and NIST SP 800-39 are not being performed. Thus, there is a strong likelihood that\nthe agency has not assigned the correct amount of effort/ resources to identifying,\nprioritizing, and mitigating agency risks.\n\nMoreover, the CPSC did not document one of the topics that NIST SP 800-37 requires in\nthe Risk Management strategy \xe2\x80\x93 the Organizational Risk Tolerance. Per CPSC\nmanagement, the Organizational Risk Tolerance has not been defined or documented.\nFor C&A purposes, CPSC management informally tied the Agency Organizational Risk\nTolerance to the CPSRMS system categorization of \xe2\x80\x9cModerate.\xe2\x80\x9d The system\ncategorization of \xe2\x80\x9cModerate\xe2\x80\x9d was defined using FIPS 199, Standards for Security\nCategorization of Federal Information and Information Systems, dated February 2004.\nManagement also documented the level of risk acceptable for CPSRMS to operate in the\nAuthorization to Operate (ATO) document. The ATO document states that CPSRMS\nwill not be authorized to operate if any \xe2\x80\x9chigh-impact\xe2\x80\x9d security weaknesses are identified\nand unmitigated. The CPSRMS POAM listing is where security weaknesses are\ndocumented and assigned impact levels. This listing is derived from several assessments,\nincluding the CPSRMS SSP, SAR, and various technical evaluations.\n\n                                                                                      11\n\x0cRecommendations:\n\n1. Identify the participants in the CPSC Risk Executive Council, and then begin the top-\n   down and bottom-up process of developing a risk management organization. A top\n   down approach to developing a risk management organization requires senior\n   management to identify the participants of the Executive Risk Council. A bottom up\n   approach to developing the risk management organization requires the Executive Risk\n   Council to identify the resources responsible to provide the relevant risk information\n   within the organization. Additionally, require these resources, as outlined in the Risk\n   Management Framework, to begin taking on the risk management responsibilities\n   assigned to them.\n\n2. Define specific tasks and milestones associated with implementing the proposed Risk\n   Management Framework. Additionally, implement a process to track and quantify\n   the aggregate risks from all Information Systems (e.g., a risk heat map) and include\n   this procedure in the Risk Management Framework. This should be lead by the Risk\n   Executive Function and tied to the Enterprise Architecture.\n\n3. Senior CPSC management (e.g., the Risk Executive Function) should define a\n   methodology for developing the risk tolerance for the CPSC and formally establish an\n   organizational tolerance for risk in the Risk Management Framework. The risk\n   tolerance should be communicated and guidance provided to appropriate agency\n   resources on how risk tolerance impacts ongoing decision making activities, as\n   recommended by NIST SP 800-39 (Draft). Moreover, update the Risk Assessment to\n   include documentation of the risk tolerance and used to justify the ATO decisions\n   going forward.\n\n\nFINDING 2: The CPSC has not yet developed an Enterprise Architecture with\nInformation Security considerations.\n\nThe CPSC has not yet developed an Enterprise Architecture with Information Security\nconsiderations; therefore, the information types and security controls have never been\nmapped to the Enterprise Architecture. This is due to the amount of effort required to\ndocument the Enterprise Architecture and the limited number of agency resources\nassigned to this effort. This has lead to the CPSC\xe2\x80\x99s inability to document properly the\nimplementation of system-specific and hybrid security controls within the information\nsystem while taking into account specific technologies and platform dependencies.\nAdditionally, the CPSRMS SSP states that the Information Security and Enterprise\nArchitecture was planned to be implemented for FY 2010; however, that deadline has\npassed, and this had not yet been accomplished. Without a comprehensive Enterprise\nArchitecture, entire enterprise components (Segment and Solution Architectures) may go\nunidentified, and the weaknesses associated with these enterprise components may go un-\nremediated due to this lack of mapping and visibility.\n\n\n\n                                                                                       12\n\x0cRecommendations:\n\nDevelop an Enterprise Architecture that includes a comprehensive IT Security\nArchitecture using the CIO Counsel\xe2\x80\x99s guidance (FEA-Security-Privacy-Profile-v3-9-30-\n2010) and incorporate this into the relevant Security Control Documents. Additionally,\nall the security controls, including the controls required by NIST SP 800-53, Revision 3\nRecommended Security Controls for Federal Information Systems and Organizations,\ndated August 2009, should be mapped to the Enterprise Architecture/Information\nSecurity Architecture to provide a comprehensive view of the security control\nrelationships. CPSC can accomplish this through the development of Segment\nArchitectures based on the primary CPSC mission objectives and business processes.\nOnce the definition of segments occurs, a Solution Architecture should be designed for\neach of the individual Segments. The Solution Architectures should include details that\ndefine each of the related security controls, including those defined in NIST SP 800-53.\nThe Solution Architecture should also include mapping to the other Solution and\nSegment Architectures and with this view, controls should be classified as \xe2\x80\x9cCommon,\xe2\x80\x9d\n\xe2\x80\x9cHybrid,\xe2\x80\x9d or \xe2\x80\x9cSystem Specific.\xe2\x80\x9d For controls defined as \xe2\x80\x9cHybrid,\xe2\x80\x9d these controls should\nbe included in all associated Solution/Segment Architectures to ensure that the control\ncomponents are properly mapped to each of the participating systems. As for all controls\ndefined as \xe2\x80\x9cCommon,\xe2\x80\x9d these controls should be included (or referred to) in each of the\nassociated Solution/Segment Architectures to provide a full view of the security of each\nof the Solutions and Segment Architectures. In addition, to assign priority and criticality\nto each of the IT Systems in terms of \xe2\x80\x9cConfidentiality,\xe2\x80\x9d \xe2\x80\x9cIntegrity,\xe2\x80\x9d and \xe2\x80\x9cAvailability,\xe2\x80\x9d\nthe use of Enterprise Architecture is appropriate, and this process is not defined in any of\nthe other Security Control Documents.\n\nTo assist management in categorizing Information Types and their associated Information\nSystems in terms of their impact on Confidentiality, Availability, and Integrity, the use of\nthe Enterprise Architecture is appropriate. The Information Types should be defined in\nthe Information Catalog section of the Business Architecture. Additionally, a section in\nthis catalog should be included to categorize this impact in both mission continuity terms\nand NIST terms as these two views differ, but they are both important to management\nfrom a planning and control perspective.\n\n\nFINDING 3: Insufficient documentation of the implementation of NIST SP 800-53\nsecurity controls in the CPSRMS SSP.\n\nThe implementation of the NIST SP 800-53 security controls did not include sufficient\ndetail of implementation in the CPSRMS SSP. This was due to lack of management\noversight of the CRI contract and management not effectively enforcing the stipulations\nset forth in the CRI Statement of Work. Without sufficient detail, the traceability to the\ndecisions made prior to and after the deployment of the information system, as required\nby NIST SP 800-37, may not be possible. As such, we noted the following:\n\n\n\n                                                                                          13\n\x0c   a) Individual documentation of the sub-controls and their implementation was not\n      included; therefore, the CPSRMS SSP was unable to describe \xe2\x80\x9cthe intended\n      application of each control in the context of the information system with sufficient\n      detail to enable a compliant implementation of the control.\xe2\x80\x9d Moreover, the\n      control developer/implementer did not provide a description of the functional\n      properties of the control with sufficient detail to permit analysis and testing of the\n      control, as required by NIST 800-53. The implementation description included a\n      description of the finding, if the control was deemed to be not fully compliant, or\n      a high-level description of the control, if it was deemed to be in place; however,\n      the control descriptions were not defined in terms of \xe2\x80\x9cPlanned Inputs,\xe2\x80\x9d \xe2\x80\x9cExpected\n      Behavior,\xe2\x80\x9d and \xe2\x80\x9cExpected Outputs,\xe2\x80\x9d as required. Further, it was noted that a\n      description that might be used to document \xe2\x80\x9cMinimum Assurance Requirements\xe2\x80\x9d\n      was not documented. Although the SCIP documented unimplemented controls in\n      these terms, it contains only 12 security controls. However, there were 86\n      \xe2\x80\x9cPlanned,\xe2\x80\x9d \xe2\x80\x9cPartially Compliant,\xe2\x80\x9d or \xe2\x80\x9cNoncompliant\xe2\x80\x9d controls that appeared in\n      the SSP and 47 \xe2\x80\x9cOther than Satisfied\xe2\x80\x9d controls that appeared in the CPSRMS\n      SAR. Additionally, the CPSRMS SARs did not include sufficient descriptions of\n      any of the controls considered fully implemented.\n\n   b) Four controls: PM-10, SI-10, AU-9, and IA-8, were defined, as \xe2\x80\x9cPartially\n      Compliant\xe2\x80\x9d in the CPSRMS SSP, but did not have an associated implementation\n      strategy documented in the CPSRMS SSP; and were not separately documented\n      in the SCIP or Risk Assessment. Instead, where this information should have\n      been documented, the signification \xe2\x80\x9cNone\xe2\x80\x9d appeared.\n\n   c) The documentation regarding tailoring of the baseline security controls, by\n      applying scoping, parameterization, and compensating control guidance, was\n      incomplete. For example, parameterization details such as configuration\n      parameters; session timeout; registry settings; account, file, and directory settings\n      (i.e. permissions, and settings for services, ports, protocols, and remote\n      connections) were not documented in the CPSRMS SSP. In addition, guidance on\n      how the agency plans to employ compensating controls was not documented in\n      the CPSRMS SSP.\n\n   d) The documentation for the justification for adding 10 supplemental controls to the\n      CPSRMS SSP was incomplete. As NIST SP 800-53 provisions for a moderate\n      impact system did not require these controls, OMB A-130 states that the agency\n      must \xe2\x80\x9cDescribe each occasion the agency decides to employ standards and\n      guidance that are more stringent than those promulgated by NIST to ensure the\n      use of risk-based cost-effective security controls for non-national security\n      applications.\xe2\x80\x9d\n\nRecommendations:\n\n1. Fully document the implementation of the security controls, including the\n   implementation of the sub-controls, in the CPSRMS SSP with sufficient detail to\n\n                                                                                          14\n\x0c   facilitate the assessment of individual controls. This includes documenting specific\n   actions that will be required to perform the control, as well as determining whether to\n   accept that the control is correctly designed and operating effectively by defining the\n   Minimum Assurance Requirements. The CPSRMS SAR format is a more effective\n   format to accomplish this than the one currently being used for the CPSRMS SSP.\n\n2. Define all security controls assessed in the CPSRMS SSP/SAR assessments in terms\n   of \xe2\x80\x9cPlanned Inputs\xe2\x80\x9d (including cost and resources required), \xe2\x80\x9cExpected Behavior,\xe2\x80\x9d\n   and \xe2\x80\x9cExpected Outputs\xe2\x80\x9d within the CPSRMS SSP, SCIP, or Risk Assessment. If this\n   is not to be documented directly in the text of the CPSRMS SSP, then the document\n   that has this information should be included as an Appendix in the CPSRMS SSP to\n   provide adequate traceability for decisions made prior to and after the implementation\n   of CPSRMS.\n\n3. Document the cost-benefit analysis for adding each of the supplemental NIST SP\n   800-53 controls. Additional explanatory details should be added to the CPSRMS SSP\n   to justify the additional 10 controls.\n\n4. Add control parameters to the control descriptions in the SSP, where applicable.\n\n5. Draft an implementation plan for each of the CPSRMS security controls, as well as\n   for the four \xe2\x80\x9cPlanned\xe2\x80\x9d controls identified without a planned implementation strategy\n   (PM-10, SI-10, AU-9, and IA-8). The CPSRMS SSP should document the planned\n   implementation strategy. This may be accomplished by updating the SCIP to include\n   all controls identified in the CPSRMS SSP and CPSRMS SAR as \xe2\x80\x9cOther than\n   Satisfied,\xe2\x80\x9d \xe2\x80\x9cPlanned,\xe2\x80\x9d \xe2\x80\x9cPartially Compliant,\xe2\x80\x9d or \xe2\x80\x9cNoncompliant.\xe2\x80\x9d\n\n6. All controls that were considered \xe2\x80\x9cOther than Satisfied,\xe2\x80\x9d \xe2\x80\x9cPlanned,\xe2\x80\x9d \xe2\x80\x9cPartially\n   Compliant,\xe2\x80\x9d or \xe2\x80\x9cNoncompliant\xe2\x80\x9d as per the SSP or SAR should be included on the\n   POAM or have the justification for their exclusion from the POAM documented.\n\n\nFINDING 4: The CPSRMS SSP does not reflect the most current information and\noften contradicts other Security control documents.\n\nThe CPSRMS SSP does not reflect the most current information and often contradicts\nother Security control documents. The disagreement and inconsistencies amongst the\nsecurity control documents was attributed to management\xe2\x80\x99s inability to establish a\nmethodology to reconcile the divergence in the reporting styles of the two vendors, who\nperformed and documented the assessments. For example, each vendor used different\ncriteria to define \xe2\x80\x9cCommon,\xe2\x80\x9d \xe2\x80\x9cHybrid\xe2\x80\x9d and \xe2\x80\x9cSystem Specific\xe2\x80\x9d controls, as well as used\ndifferent criteria to assess the compliance of the required NIST controls. Management\ndid not know of the differences until notification by the OIG. Consequently, this has lead\nto an incomplete/inaccurate representation of the CPSRMS security profile and a general\nlack of consistency between the security control documents. For example, we noted the\n\n\n\n                                                                                        15\n\x0cfollowing:\n\n   a) The CPSRMS SSP states that CPSRMS \xe2\x80\x9cwill be operational in October 2010\xe2\x80\x9d\n      and the launch at the time of fieldwork was set for March 11, 2011.\n\n   b) Twenty devices identified in the CPSRMS system boundary as part of the\n      SecureIT Inventory Assessment were not included in the CPSRMS SSP.\n\n   c) The CPSRMS SSP does not include the vulnerabilities identified as part of the\n      Security Assessment Report and other technical assessments (e.g., assessments\n      performed by Aspect Security)\n\n   d) The CPSRMS SSP, developed by CRI, does not define \xe2\x80\x9cCommon\xe2\x80\x9d controls the\n      same way as Secure IT's developed CPSRMS SAR or the GSS LAN. There are\n      17 System Specific/Hybrid controls assessed and defined in the SSP by SecureIT,\n      as part of their independent validation of the implementation of NIST SP 800-53\n      security controls, and documented in the CPSRMS SAR as \xe2\x80\x9cSystem Specific\xe2\x80\x9d or\n      \xe2\x80\x9cHybrid\xe2\x80\x9d controls. Instead, these controls were defined as \xe2\x80\x9cCommon\xe2\x80\x9d and were\n      tested and documented as part of the GSS LAN SAR.\n\n   e) SecureIT\xe2\x80\x99s original assessment of SC-14 was \xe2\x80\x9cNot Compliant,\xe2\x80\x9d which was\n      documented (although never subsequently updated after its reassessment) in the\n      GSS LAN SSP. Then, after some remediation, SC-14 was reassessed as part of\n      the CPSRMS SAR process and it was deemed \xe2\x80\x9cIn Place,\xe2\x80\x9d which is the position\n      that management holds. However, CRI holds a different position and considers\n      this control to be \xe2\x80\x9cPartially Compliant,\xe2\x80\x9d as is documented in the CPSRMS SSP,\n      even after the control reassessment. Furthermore, management has not\n      documented which position it supports along with their justification for holding\n      this position.\n\n   f)    Three controls: SI-03, SC-02, and SC-23, which were identified on the SAR as\n        \xe2\x80\x9cSatisfied\xe2\x80\x9d were identified on the SCIP, either as \xe2\x80\x9cPlanned,\xe2\x80\x9d or \xe2\x80\x9cSolution\n        Identified\xe2\x80\x9d but not implemented. Moreover, the CPSRMS SSP identified these\n        three controls as either \xe2\x80\x9cNoncompliant\xe2\x80\x9d (SI -03) or \xe2\x80\x9cPartially Compliant\xe2\x80\x9d (SC-02\n        and SC-23).\n\nRecommendations:\n\n1. Update the SSP to include the correct go-live date and to reflect the latest\n   understanding of the current state of CPSRMS security. As such, CPSC should\n   perform the following:\n\n        a. Reconcile the CPSRMS SSP with the other security control documents (e.g.,\n           CPSRMS SAR, GSS LAN SAR, SCIP, Security Categorization Document,\n           and Risk Assessments), to identify all variances and update the documents to\n\n\n\n                                                                                         16\n\x0c           present one consistent \xe2\x80\x9csnapshot\xe2\x80\x9d of system security.\n\n       b. Management should also perform an assessment to determine which position\n          it supports (with significant weight given to the independent assessors) and\n          justify/document their position in the SSP so that the SSP can be the single,\n          authoritative security document for CPSRMS.\n\n       c. Additionally, to support the objective of the CPSRMS SSP becoming the\n          single, authoritative security document for CPSRMS, updates to the SSP\n          should include the results of the related SARs and other technical security\n          reviews (e.g., Aspect Security reviews).\n\n       d. Reassess the \xe2\x80\x9cCommon,\xe2\x80\x9d \xe2\x80\x9cHybrid,\xe2\x80\x9d and \xe2\x80\x9cSystem Specific\xe2\x80\x9d control\n          significations, and update the SSP to include an accurate description of\n          controls in addition to the justification for each of the control significations.\n\n       e. The network should be re-scanned to define all of the devices within the\n          CPSRMS System Boundary and the results of this scan should be included in\n          the SSP. Moreover, management should reassess any additional controls\n          required because of the discoveries made by this scan for proper\n          implementation and document the results of this assessment in the SSP, if\n          applicable.\n\n2. A description of how CPSRMS is integrated into the Enterprise Architecture, which\n   should include the Information Security Architecture, should be documented in the\n   CPSRMS SSP.\n\n3. Update the POAM to reflect the changes made to the updated SSP, where applicable.\n\n\nFINDING 5: The CPSRMS POAM does not include all elements required by OMB\nMemorandum 04-25.\n\nThe POAM does not include all OMB M-4-25 required components. It was noted that\nthe CPSC\xe2\x80\x99s POAM process is in an immature state; thus, resulting in incomplete\nimplementation. With incomplete implementation of the POAM, vulnerabilities may not\nbe properly tracked and reported, leading to a lack of effective and timely remediation of\nthe known issues. We noted the following required components omitted from the\nPOAM:\n\n   \xe2\x80\xa2   milestone change records and related documentation to justify the changes;\n   \xe2\x80\xa2   estimated resources used for the remediation effort and the related justification;\n   \xe2\x80\xa2    justification for scheduling estimates and;\n   \xe2\x80\xa2   estimated cost with its related justification and the funding source.\n\n\n\n                                                                                              17\n\x0cAdditionally, the POAM includes a field to define specific tasks and milestones;\nhowever, this field currently is not being utilized. Therefore, the specific tasks set forth\nto accomplish this remediation are not documented. Furthermore, the only dates that are\ndefined in the POAM are the start, due, and completion dates for the issue as a whole;\nthus, the POAM does not define due dates for individual milestones.\n\nRecommendation:\n\nUpdate the POAM to include the missing information.\n\n\nFINDING 6: The CPSRMS Security Categorization Document does not adequately\njustify impact assignments for 10 of the identified information types.\n\nThe Categorization Document does not adequately justify impact assignments for 10 of\nthe identified information types, as stipulated by NIST SP 800-60, Guide for Mapping\nTypes of Information and Information Systems to Security Categories: (2 Volumes) -\nVolume 1: Guide Volume 2: Appendices, dated August 2008. For example, OIG found\nthat the \xe2\x80\x9cCorrective Action\xe2\x80\x9d information type was categorized as \xe2\x80\x9cLow\xe2\x80\x9d in terms of\n\xe2\x80\x9cAvailability.\xe2\x80\x9d However, the assignment of this signification was justified in the text of\nthe report using the same logic that was used to raise the \xe2\x80\x9cPopulation Health Management\nand Consumer Safety\xe2\x80\x9d information type from \xe2\x80\x9cLow\xe2\x80\x9d to \xe2\x80\x9cModerate.\xe2\x80\x9d As for the reason\nfor these discrepancies, the agency did not adequately document the justification for the\nimpact assignments for the identified information types. Thus, there is a possibility that\nthe impact assignments are inaccurate, causing an inaccuracy in the solution\xe2\x80\x99s overall\nimpact rating. If the overall impact rating is inaccurate, the amount of effort to protect\nthe solution may not be commensurate with the risk posed by the solution to the agency\nassets and mission.\n\nIn addition, it was noted the Categorization document states: \xe2\x80\x9cFurther analysis of data\ngathered as part of the development of the conceptual architecture and discussions with\nCPSC is required to establish special factors to raise or lower the impact levels of the\nsecurity objectives\xe2\x80\x9d; and no additional work has been performed yet.\n\nPlease see table below for details surrounding each of the discrepancies.\n\n\n                                                                  Appropriate\n                                                Impact Assigned NIST SP 800-60\n Information                                         in the          Impact\n    Type        Language in Categorization       Categorization Assessment based\n  Category                Document                 Document     on this language\nCorrective   Confidentiality: Manufacturers and Low             Moderate\nAction       consumers will provide corrective\n             actions for the various products.\n             The protection of confidentiality\n\n                                                                                          18\n\x0c                 for this information type has a low\n                 impact on CPSC, unless the\n                 consumer does not want to be\n                 identified.\nCorrective       Availability: Much like the         Low   High\nAction           Population Health Management\n                 and Consumer Safety Information\n                 Type, users will expect this\n                 information to be available 24/7.\n                 This is a unique situation where\n                 the impact on the CPSC could be\n                 severe if the information is not\n                 available in a timely manner.\nCongressional    Confidentiality: This information Low     Moderate\nLiaison          may not be made available to the\n                 public unless through the public\n                 relations information type. If this\n                 is CPSC/congressional\n                 information, then this information\n                 will have a serious impact if\n                 confidentiality is compromised. If\n                 this was a reporting of public\n                 record then this information would\n                 be made available to the public and\n                 have a low impact.\nCongressional    Integrity: The integrity of this    Low   Moderate\nLiaison          information will be important,\n                 regardless of whether it is\n                 disclosed publicly or remains\n                 internal to CPSC. The impact of a\n                 compromise of integrity would\n                 have a serious impact.\nLegal            Confidentiality: The Office of the Low    Moderate\nProsecution      General Counsel oversees Legal\nand Litigation   Prosecution and Litigation Type\n                 information and may disclose only\n                 a portion of the information to the\n                 public. The unauthorized\n                 disclosure of this information\n                 would have a serious impact on the\n                 CPSC and require protection.\nLegal            Integrity: The integrity of this    Low   Moderate\nProsecution      information, that is the\nand Litigation   unauthorized modification of legal\n                 prosecution and litigation\n                 information, would also have a\n\n                                                                      19\n\x0c                 serious adverse impact on the\n                 CPSC and impede the case\n                 management system processes.\nGeneral          Integrity: The integrity of this        Low        Moderate\nPurpose Data     information is very important\nand Statistics   because it is used to perform\n                 statistical analysis and is used for\n                 decision support analysis. The\n                 unauthorized change or\n                 modification of this data would\n                 have a serious impact on the\n                 CPSC.\nGeneral          Availability: Because this              Low        Moderate\nPurpose Data     information primarily would be\nand Statistics   used during business hours, the\n                 availability of this data would be\n                 important and have a serious\n                 impact on the CPSC from 6 a.m.\xe2\x80\x938\n                 p.m.; but if large statistical\n                 analyses are run overnight, then\n                 the data may be required to be\n                 available 24/7.\nIntellectual     Integrity: The integrity of this        Low        Moderate\nProperty         information must be protected,\nProtection       especially if it is used for litigation\n                 purposes. The compromise of\n                 integrity for this information type\n                 could have a serious impact on the\n                 CPSC.\nPopulation       Integrity: The compromise of the Low               Moderate\nHealth           integrity of this information type\nManagement       could have a serious impact on the\nand Consumer     CPSC, a manufacturer, and a\nSafety           manufacturer\xe2\x80\x99s public image if the\n                 information is not correct. It is\n                 critical that this information is\n                 accurate.\n\nRecommendation:\n\nPerform an assessment to ensure adequate categorization of Information Types and that\nthe logic for categorizing the Information Types as \xe2\x80\x9cHigh,\xe2\x80\x9d \xe2\x80\x9cModerate,\xe2\x80\x9d or \xe2\x80\x9cLow\xe2\x80\x9d is\nconsistent with the guidance provided in NIST SP 800-60.\n\n\n\n\n                                                                                        20\n\x0cFINDING 7: Insufficient documentation of the analysis disqualifying the non-\nselected information types in the CPSRMS Security Categorization Document.\n\nThe Categorization Document contained justification of the selected information types\nthat were chosen; however, the documentation of the analysis disqualifying the non-\nselected information types was omitted. Moreover, the Categorization document\nstates:\xe2\x80\x9cAt this point in the system lifecycle, it is still unclear whether the identified\ninformation types are appropriate and part of the CPSC vision for CPSRMS and its\nconcept of operations\xe2\x80\x9d and no additional work, as yet, has been performed. This\noccurred, due to a lack of management oversight of the CRI contract and to management\nnot effectively enforcing the stipulations set forth in the CRI Statement of Work. The\nCPSRMS solution was assigned a \xe2\x80\x9cprovisional\xe2\x80\x9d system impact rating based on the\nassessment of each of the selected information types documented in the Categorization\ndocument. Therefore, any missing or incomplete information in the assessment of these\ninformation types, although unlikely, may lead to an inaccurate system impact rating and\nconsequently, may lead to the inaccurate selection of the security controls required by\nNIST SP 800-53.\n\nRecommendation:\nPerform an analysis, as the Categorization document suggests, ensuring that all of the\nInformation Types outlined in the NIST SP 800-60 framework were appropriately\nincluded or excluded. Include documentation of this analysis in the Categorization\ndocumentation, along with the justification for including and excluding each of the\nInformation Types chosen. Moreover, this analysis should be tied to the Enterprise\nArchitecture. Additionally, CPSRMS\xe2\x80\x99s overall Security Impact assignment should be\nformalized once this NIST SP 800-60 assessment is completed.\n\n\nFINDING 8: The CPSRMS SSP does not outline specific Public Access controls in\nplace to mitigate the risks associated with allowing external user\xe2\x80\x99s access to\nCPSRMS.\n\nThe CPSRMS SSP does not outline specific Public Access controls in place to mitigate\nthe risks associated with allowing external user\xe2\x80\x99s access to CPSRMS. OMB A-130,\nTransmittal Memorandum #4, Management of Federal Information Resources, dated\nNovember 28, 2000 states that \xe2\x80\x9cwhere an agency\xe2\x80\x99s application promotes or permits\npublic access, additional security controls shall be added to protect the integrity of the\napplication and the confidence the public has in the application. Such controls shall\ninclude segregating information made directly accessible to the public from official\nagency records.\xe2\x80\x9d This is attributable to a lack of management oversight of the CRI\ncontract, and to management not effectively enforcing the stipulations set forth in the CRI\nStatement of Work. Consequently, without effective controls in place governing Public\nAccess, a public facing information system may provide an entry point for malicious\nusers to the system in an unintended manner (ex. intentionally damage the system or\nobtain access to sensitive data). Moreover, this lack of control may also allow well-\n\n\n\n                                                                                         21\n\x0cmeaning users to inadvertently damage information system or access sensitive\ninformation.\n\nRecommendation:\n\nDefine the specific Public Access controls in place/planned, or reference the document\ndefining these controls within the CPSRMS SSP.\n\n\n\n\n                                                                                         22\n\x0cAPPENDIX I: MANGEMENT RESPONSE\n\n\n\n\n PAGE INTENTIONALLY LEFT BANK\n\n\n\n\n                                 23\n\x0c\x0c\x0c\x0c\x0c"